Content by this author

DNSSEC Key Roll-over PitfallsA few weeks ago the RIPE NCC was alerted to a rapid increase in DNSKEY queries for its signed reverse DNS zones. We did some investigations. Read about the results in this article.https://labs.ripe.net/Members/mirjam/content-dnssec-key-roll-over-pitfallshttps://labs.ripe.net/logo.png

DNSSEC Key Roll-over Pitfalls

A few weeks ago the RIPE NCC was alerted to a rapid increase in DNSKEY queries for its signed reverse DNS zones. We did some investigations. Read about the results in this article.

A few weeks ago the RIPE NCC was alerted to a rapid increase in DNSKEY queries for its signed reverse DNS zones. When we investigated the cause of this problem, we discovered that recent versions of the Fedora Linux distribution are shipped with a package called "dnssec-conf", which contains an outdated set of RIPE NCC's DNSSEC trust anchors (see more details in a
mail
by Anand Buddhdev, the DNS Services Manager of the RIPE NCC sent to the RIPE DNS WG mailing list on 5 February 2010).

Consequently Geoff Houston, George Michaelson, Patrik Wallström and Roy Arends did some more analysis and found that "the problem is shown to be an outcome of the interaction of the distribution of key material and the regular rollover of the Key Signing Key (KSK) that forms the trust anchor for the signed zone.

When these resolver implementations fall out of sync with the zone's keys then they do not quietly fail, but instead they enter a period of sustained query thrashing, sending the same query to all the name servers of a zone with up to a thousand repetitions from each single initial seed query."

The RIPE NCC uses cookies. Some of these cookies may have been set already. More information about our cookies can be found in our privacy policy. You can accept our cookies either by clicking here or by continuing to use the site.